CVE-2015-2503

Name of the Vulnerable Software and Affected Versions Microsoft Access versions 2007 SP3 through 2016 Microsoft Excel versions 2007 SP3 through 2016 Microsoft InfoPath versions 2007 SP3 through 2013 SP1 Microsoft OneNote versions 2007 SP3 through 2016 Microsoft PowerPoint versions 2007 SP3 through 2016 Microsoft Project versions 2007 SP3 through 2016 Microsoft Publisher versions 2007 SP3 through 2016 Microsoft Visio versions 2007 SP3 through 2016 Microsoft Word versions 2007 SP3 through 2016 Skype for Business version 2016 Microsoft Lync version 2013 SP1

Description The issue is related to insufficient access restrictions to certain features in Microsoft Office software, allowing remote attackers to bypass a sandbox protection mechanism and gain privileges via a crafted web site accessed with Internet Explorer. This could enable an attacker to transition from Low Integrity to Medium Integrity. The vulnerability exists when an attacker instantiates an affected Office application via a COM control, potentially allowing the attacker to gain elevated privileges and break out of the Internet Explorer sandbox.

Recommendations For Microsoft Access versions 2007 SP3 through 2016, consider disabling the instantiation of the application via COM control as a temporary workaround. For Microsoft Excel versions 2007 SP3 through 2016, restrict access to the COM control functionality to minimize the risk of exploitation. For Microsoft InfoPath versions 2007 SP3 through 2013 SP1, avoid using the COM control to instantiate the application until a patch is available. For Microsoft OneNote versions 2007 SP3 through 2016, consider disabling the COM control functionality as a temporary mitigation measure. For Microsoft PowerPoint versions 2007 SP3 through 2016, restrict access to the COM control to prevent potential exploitation. For Microsoft Project versions 2007 SP3 through 2016, consider disabling the instantiation of the application via COM control as a temporary workaround. For Microsoft Publisher versions 2007 SP3 through 2016, restrict access to the COM control functionality to minimize the risk of exploitation. For Microsoft Visio versions 2007 SP3 through 2016, avoid using the COM control to instantiate the application until a patch is available. For Microsoft Word versions 2007 SP3 through 2016, consider disabling the COM control functionality as a temporary mitigation measure. For Skype for Business version 2016, restrict access to the COM control to prevent potential exploitation. For Microsoft Lync version 2013 SP1, consider disabling the instantiation of the application via COM control as a temporary workaround.